New Internet of Things security code aims to stamp out Mirai and other threats

We’ve seen the chaos that the Mirai botnet can cause – not to mention the potential havoc that related variants could wreak – but the good news is that the UK government is making moves to shore up Internet of Things security against such threats.

The government has just published the ‘Secure by Design’ policy paper which contains a draft code of practice for consumer IoT products and services, as pointed out by David Rogers, the author of that draft code (in conjunction with other organisations like the ICO).

As the government states, the broad idea is as follows: “This report advocates a fundamental shift in approach: moving the burden away from consumers having to secure their devices and instead ensuring strong security is built into consumer ‘internet of things’ (IoT) products by design.”

Specifically, the draft code calls for manufacturers to be held to certain basic IoT security standards, outlining 13 steps to improve security, with three central measures specifically given priority. That trio includes changing the practice of leaving default passwords in place – which is obviously a major security risk – as well as keeping software updated with security fixes, and giving security researchers a way to disclose vulnerabilities which have been found.

Security bar

Rogers observed: “We can either have a lowest common denominator approach to security or we can say ‘this is the bar and you must at least have these basics in place’.

“In 2018 it just simply isn’t acceptable to have things like default passwords and open ports. This is how stuff like Mirai happens. The guidance addresses those issues and had it been in place, the huge impact of Mirai would simply not have occurred.”

As the Internet of Things continues its explosive expansion and more connected devices proliferate, there are certainly obvious reasons why a system ensuring tighter overall security needs to be put in place.

The policy paper and draft code therein are just a first step for now, with the government expecting to receive feedback from the tech industry at large, as well as academic institutions and international bodies. That will all be taken on board as the proposal is developed further.